---
layout: docs
page_title: Sentinel Properties
sidebar_title: Properties
description: An overview of how Sentinel interacts with Vault Enterprise.
---

# Properties

Vault injects a rich set of data into the running Sentinel environment,
allowing for very fine-grained controls. The set of available properties are
enumerated on this page.

The following properties are available for use in Sentinel policies.

## Namespace Properties

The `namespace` (Sentinel) namespace gives access to information about the
namespace in which the request is running. (This may or may not match the
client's chosen namespace, if a request reaches into a child namespace).

| Name   | Type     | Description                    |
| :----- | :------- | :----------------------------- |
| `id`   | `string` | The namespace ID               |
| `path` | `string` | The root path of the namespace |

## Request Properties

The following properties are available in the `request` namespace.

| Name                     | Type                  | Description                                                                                 |
| :----------------------- | :-------------------- | :------------------------------------------------------------------------------------------ |
| `connection.remote_addr` | `string`              | TCP/IP source address of the client                                                    |
| `data`                   | `map (string -> any)` | Raw request data                                                                            |
| `operation`              | `string`              | Operation type, e.g. "read" or "update"                                                     |
| `path`                   | `string`              | Path, with any leading `/` trimmed                                                          |
| `policy_override`        | `bool`                | `true` if a `soft-mandatory` policy override was requested                                  |
| `unauthenticated`        | `bool`                | `true` if the requested path is an unauthenticated path                                     |
| `wrapping.ttl`           | `duration`            | The requested response-wrapping TTL in nanoseconds, suitable for use with the `time` import |
| `wrapping.ttl_seconds`   | `int`                 | The requested response-wrapping TTL in seconds                                              |

### Replication Properties

The following properties exists at the `replication.mode` namespace.

| Name          | Type     | Description                                                                                                    |
| :------------ | :------- | :------------------------------------------------------------------------------------------------------------- |
| `dr`          | `string` | The state of DR replication. Valid values are "disabled", "bootstrapping", "primary", and "secondary"          |
| `replication` | `string` | The state of performance replication. Valid values are "disabled", "bootstrapping", "primary", and "secondary" |

## Token Properties

The following properties, if available, are in the `token` namespace. The
namespace will not exist if there is no token information attached to a
request, e.g. when logging in.

| Name                       | Type                     | Description                                                                                                                        |
| :------------------------- | :----------------------- | :--------------------------------------------------------------------------------------------------------------------------------- |
| `creation_time`            | `string`                 | The timestamp of the token's creation, in RFC3339 format                                                                           |
| `creation_time_unix`       | `int`                    | The timestamp of the token's creation, in seconds since Unix epoch UTC                                                             |
| `creation_ttl`             | `duration`               | The TTL the token was first created with in nanoseconds, suitable for use with the `time` import                                   |
| `creation_ttl_seconds`     | `int`                    | The TTL the token was first created with in seconds                                                                                |
| `display_name`             | `string`                 | The display name set on the token, if any                                                                                          |
| `entity_id`                | `string`                 | The Identity entity ID attached to the token, if any                                                                               |
| `explicit_max_ttl`         | `duration`               | If the token has an explicit max TTL, the duration of the explicit max TTL in nanoseconds, suitable for use with the `time` import |
| `explicit_max_ttl_seconds` | `int`                    | If the token has an explicit max TTL, the duration of the explicit max TTL in seconds                                              |
| `metadata`                 | `map (string -> string)` | Metadata set on the token                                                                                                          |
| `num_uses`                 | `int`                    | The number of uses remaining on a use-count-limited token; 0 if the token has no use-count limit                                   |
| `path`                     | `string`                 | The request path that resulted in creation of this token                                                                           |
| `period`                   | `duration`               | If the token has a period, the duration of the period in nanoseconds, suitable for use with the `time` import                      |
| `period_seconds`           | `int`                    | If the token has a period, the duration of the period in seconds                                                                   |
| `policies`                 | `list (string)`          | Policies directly attached to the token                                                                                            |
| `role`                     | `string`                 | If created via a token role, the role that created the token                                                                       |
| `type`                     | `string`                 | The type of token, currently will be either `batch` or `service`                                                                   |

## Token Namespace Properties

The following properties, if available, are in the `token.namespace` namespace.
The (Sentinel) namespace will not exist if there is no token information attached to a
request, e.g. when logging in.

| Name   | Type     | Description                    |
| :----- | :------- | :----------------------------- |
| `id`   | `string` | The namespace ID               |
| `path` | `string` | The root path of the namespace |

## Identity Properties

The following properties, if available, are in the `identity` namespace. The
namespace may not exist if there is no token information attached to the
request; however, at login time the user's request data will be used to attempt
to find any existing Identity information, or create some information to pass
to MFA functions.

### Entity Properties

These exist at the `identity.entity` namespace.

| Name                | Type                     | Description                                                   |
| :------------------ | :----------------------- | :------------------------------------------------------------ |
| `creation_time`     | `string`                 | The entity's creation time in RFC3339 format                  |
| `id`                | `string`                 | The entity's ID                                               |
| `last_update_time`  | `string`                 | The entity's last update (modify) time in RFC3339 format      |
| `metadata`          | `map (string -> string)` | Metadata associated with the entity                           |
| `name`              | `string`                 | The entity's name                                             |
| `merged_entity_ids` | `list (string)`          | A list of IDs of entities that have been merged into this one |
| `aliases`           | `list (alias)`           | List of aliases associated with this entity                   |
| `policies`          | `list (string)`          | List of the policies set on this entity                       |

### Alias Properties

These can be retrieved from `identity.entity.aliases`.

| Name                     | Type                     | Description                                                                                                                                   |
| :----------------------- | :----------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------- |
| `creation_time`          | `string`                 | The alias's creation time in RFC3339 format                                                                                                   |
| `id`                     | `string`                 | The alias's ID                                                                                                                                |
| `last_update_time`       | `string`                 | The alias's last update (modify) time in RFC3339 format                                                                                       |
| `metadata`               | `map (string -> string)` | Metadata associated with the alias                                                                                                            |
| `merged_from_entity_ids` | `list (string)`          | If this alias was attached to the current entity via one or more merges, the original entity/entities will be in this list                    |
| `mount_accessor`         | `string`                 | The immutable accessor of the mount that created this alias                                                                                   |
| `mount_path`             | `string`                 | The path of the mount that created this alias; unlike the accessor, there is no guarantee that the current path represents the original mount |
| `mount_type`             | `string`                 | The type of the mount that created this alias                                                                                                 |
| `name`                   | `string`                 | The alias's name                                                                                                                              |

### Groups Properties

These exist at the `identity.groups` namespace.

| Name      | Type                    | Description                                                                                                                                     |
| :-------- | :---------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------- |
| `by_id`   | `map (string -> group)` | A map of group ID to group information                                                                                                          |
| `by_name` | `map (string -> group)` | A map of group name to group information; unlike the group ID, there is no guarantee that the current name will always represent the same group |

### Group Properties

These can be retrieved from the `identity.groups` maps.

| Name                | Type                     | Description                                                        |
| :------------------ | :----------------------- | :----------------------------------------------------------------- |
| `creation_time`     | `string`                 | The group's creation time in RFC3339 format                        |
| `id`                | `string`                 | The group's ID                                                     |
| `last_update_time`  | `string`                 | The group's last update (modify) time in RFC3339 format            |
| `metadata`          | `map (string -> string)` | Metadata associated with the group                                 |
| `name`              | `string`                 | The group's name                                                   |
| `member_entity_ids` | `list (string)`          | A list of IDs of entities that are directly assigned to this group |
| `parent_group_ids`  | `list (string)`          | A list of IDs of groups that are parents of this group             |
| `policies`          | `list (string)`          | List of the policies set on this group                             |

## MFA Properties

These properties exist at the `mfa` namespace.

| Name      | Type                     | Description                               |
| :-------- | :----------------------- | :---------------------------------------- |
| `methods` | `map (string -> method)` | A map of method name to method properties |

### MFA Method Properties

These properties can be accessed via the `mfa.methods` selector.

| Name    | Type   | Description                                                                                                                                                                                                                                   |
| :------ | :----- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `valid` | `bool` | Whether the method has successfully been validated; if validation has not been attempted, this will trigger the validation attempt. The result of the validation attempt will be used for this method for all policies for the given request. |

## Control Group Properties

These properties exist at the `controlgroup` namespace.

| Name                   | Type                   | Description                                 |
| :--------------------- | :--------------------- | :------------------------------------------ |
| `time`, `request_time` | `string`               | The original request time in RFC3339 format |
| `authorizations`       | `list (authorization)` | List of control group authorizations        |

### Control Group Authorization

These properties can be accessed via the `controlgroup.authorizations` selector.

| Name     | Type              | Description                                                |
| :------- | :---------------- | :--------------------------------------------------------- |
| `time`   | `string`          | The authorization time in RFC3339 format                   |
| `entity` | `identity.entity` | The identity entity for the authorizer.                    |
| `groups` | `identity.groups` | The map of identity groups associated with the authorizer. |
